Sony: some PSN data encrypted, hardware moving to new location

Sony is sharing more information about its response to the malicious attack …

Patrick Seybold is the senior director of corporate communications and social media for Sony Computer Entertainment of America. Right now, he's got a tough job. Sony's updates on the PlayStation Network are written by Seybold and posted to the official blog. There's a new update on the blog, in the form of a Q&A about the attack. There are a few interesting details here, including the lack of encryption on some of the personal data, and the fact that the location of the hardware that runs the PlayStation Network is being moved.

It has to be said that, at this point, no one is envious of Seybold's position within Sony.

"Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation," Seybold explained. "This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible." Remember, the disclosure laws don't come into play if a law enforcement agency argues that disclosure would harm an investigation. We've been told by a consumer advocacy group that this is a common loophole used by corporations who are the victims of this sort of attack.

Another interesting revelation is the fact that some of the data was encrypted, and some wasn't. "The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack," Seybold wrote. He also pointed out that the information was behind both physical and electronic safeguards, which means the attack may have been carried out by an employee.

In terms of your credit card information and password, Seybold repeated our advice to search for an e-mail from "DoNotReply@ac.playstation.net," which will give you the first and last digits of the credit card you have on file with Sony. A coming update will prompt you to change your password when you log back into the PlayStation Network.

So what's coming?

The systems are down, they're being rebuilt, and security and infrastructure are both being improved. "Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network's security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly," Seybold wrote. The physical aspect is interesting; it was hinted that someone had to physically be there to steal the content, and now the whole mess is being moved to a new location entirely. Sony hopes to have PSN up and running again on May 3.

After all this, we're still days away from being able to play online. "Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday," he said. "However, we want to be very clear that we will only restore operations when we are confident that the network is secure."

Also, it's time to get Dirty Harry with those who are responsible. Sony is "working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located." With the combined forces of Sony, law enforcement, and a "recognized" technology security firm all working together, we might have the makings of a really excellent sitcom.

Latest Ars Video >

War Stories | Thief: The Dark Project

1998's Thief: The Dark Project was a pioneer for the stealth genre, utilizing light and shadow as essential gameplay mechanics. The very thing that Thief became so well-known for was also the game's biggest development hurdle. Looking Glass Studios founder Paul Neurath recounts the difficulties creating Thief: The Dark Project, and how its AI systems had to be completely rewritten years into development.

War Stories | Thief: The Dark Project

War Stories | Thief: The Dark Project

1998's Thief: The Dark Project was a pioneer for the stealth genre, utilizing light and shadow as essential gameplay mechanics. The very thing that Thief became so well-known for was also the game's biggest development hurdle. Looking Glass Studios founder Paul Neurath recounts the difficulties creating Thief: The Dark Project, and how its AI systems had to be completely rewritten years into development.

126 Reader Comments

I didn't know online was required to play games, but I guess it is. I've seen so many people claim they can't "play their games". Did these people only buy MMOs? I could have sworn there was a single player in games..

On the potential inside job; I just want to throw out there that, from the April 22nd blog post on Sony's blog, they did mention it was an "external intrusion." If you take that on face value, it would appear that it was not an inside job. Anyway, just a thought.

Not necessarily. It's possible that there were multiple aspects of it... take this scenario:- An employee sneaks into the server room and attaches a USB drive to one of the servers- An outside agent figures out a way to remotely trigger a database backup, and does so and sets the USB drive as the backup target- The employee then has a flash drive with a full copy of the database, and can just casually walk out

This is just a random scenario I made up, but it's not extremely out there or anything, and would satisfy it both being an 'external' intrusion and and inside job.

Yeah, that's true, it could have originated any number of ways; but just trying to piece together what happened from the info we've been given, it would seem the actual attack was from an external source.

In the case of a CC, where the system needs to be able to supply it back to the merchant account for billing, there's usually a key in the merchant software that decrypts the value (again, on the fly) for submission to the merchant host. This key would, typically, be internal to the merchant system, and not really known to a Sony employee. One key is used to encrypt (Sony ppl COULD figure that one out), another to decrypt (Sony should not have access to this).

I would think that CC systems would also have different tiers of access, so that even people who do need to verify actual card numbers (like the CSRs at Chase) would be prevented from reading more than one CC every 30 seconds (or something like that), and that every access to a complete CC number would be logged by username.

The only people who should be able to dump an entire table would be very senior people who have more to lose by going to jail than they have to gain by selling CC numbers.

Any system where a guy making $10/hour can dump an entire CC table is bad by design.

Why the hell were they storing credit card numbers anyway? Standard practice is you store the last four digits, and the payment processor stores the billing infomation in PCI compliant servers. They issue some customer ID or something for recurring transactions.

Yes (I believe it was the 'older' forum software, I remember getting an email about it)

April 30, 2010:

Quote:

Hello,

You are receiving this message because you have a registered an ArsTechnica account with this email address.

Our previous forum provider (Social Strata, formerly known as Groupee andInfopop) had a server hacked recently, and has advised us that privateregistration email addresses were harvested. These included emailaddresses for anyone who registered with Ars Technica while we were stillusing their services. In addition, the rooted server was used to send outat least one mass phishing attempt.

Although Groupee/Social Strata tells us that no password information of anykind was accessible from that server, we still recommend that you changeyour Ars Technica password (and any account on a third party site you usethat password with) just to be safe.

We became aware of this issue this morning and are following up withGroupee/Social Strata to see if we can get more details and assurances onthe scope of the compromise. We have also requested that they purge allArs Technica data from their systems so future problems don't affect ourusers.

We apologize for any inconvenience this may have caused. If you would liketo read further updates on this issue, please see the active announcementwe have in our new forums:viewtopic.php?f=3&t=1108748

I didn't know online was required to play games, but I guess it is. I've seen so many people claim they can't "play their games". Did these people only buy MMOs? I could have sworn there was a single player in games..

A lot of people will beat the single player in a few hours (see the /previous/ ars article about that!), and then spend 10x+ as much time doing multiplayer. I know I'd be quite annoyed if _I_ couldn't play any of my games online (that's the plus of not having all your games tied into a single platform ). Hell, a lot of people don't even care about the single player portion of most games (a lot of them are quite boring).

The thing that amazes me and SHOULD be the fact that opens Sony to mega law suites, is the lack of encryption of sensitive data, along with the fact it looks like Sony were using the PSN network for more than just PS3 user/game verification and PS3 online game sales activities. In other words they were using it to also gather data on users that was outside of the scope of what was needed to ensure only the minimum of data was gathered and stored. The classic case is why did they need exact DOB when age ranges (or just year of birth) are all that is needed to ensure a person is old enough to play a game. Or why do you need an address for someone to just play their games online.Its the golden rule the minimum amount of information required, held for the minimum amount of time, and accessible only to the minimum number of people to ensure the reason why the information was given by the user is fulfilled.

I didn't know online was required to play games, but I guess it is. I've seen so many people claim they can't "play their games". Did these people only buy MMOs? I could have sworn there was a single player in games..

Good point. The tens of thousands of people playing Call of Duty will just see PSN is down, shrug, and play through the single player a couple more times instead.

Well, as I said earlier... for a CC payment system, usually there is a decryption key that resides within the merchant system itself. Primarily it comes down to access control, though. I work in banking and can attest that many, MANY instances of account information, PAN/SAN information, et cetera, is not encrypted in the workflow. If you use your card at an ATM by almost all major manufacturers, it's stored and presented in cleartext, though the presentation from the ATM to the host system MAY (and this is definitely about a 50/50) be presented over HTTPS rather than HTTP. Typically it is not, especially at smaller banks and credit unions. Even if it isn't stored in cleartext, it's presented as cleartext through SOAP messages to many back-end systems.

The move thing about innovyx is odd timing, though. They just started a move and now they're doing that AND trying to get PSN secured and back online? Am I just thinking things will get worse because Fukushima has been in the news?

Its the golden rule the minimum amount of information required, held for the minimum amount of time, and accessible only to the minimum number of people to ensure the reason why the information was given by the user is fulfilled.

That's so sweet. I wish people like you were running these companies instead of people having no problem with forcing you into revealing a ton of personal information, storing it forever, then periodically flogging it to marketing scumbags without once thinking about the negative consequences.

And what exactly are the neg consequences for Sony now anyway? They screwed up and the punishment for them seems to be empty PR bumpf about how seriously they take security, a server move to a more secure location (Behind the sofa! the hackers will never find it there!) and keep their heads down for a month or so. Yay?

I hate when some company spouts non-sense about encryption then it seems that everyone is fine with it. My question would be how was the cc data encryption, how many levels. Was the actual data or was it just the table or just the db. I'm surprised of the few posts I have read no one has asked or made a statement about how it was encrypted. Their environment might have made it just as easy to see the CC info as the unencrypted personal data. Come on people wake up....

Sorry had to Rant alittle....I'm glad Sony is getting closer to getting PSN up...I had last weekend without the kids and I was going to do some gaming all weekend, until this "issue" came up. Talk about timing...

I hate when some company spouts non-sense about encryption then it seems that everyone is fine with it. My question would be how was the cc data encryption, how many levels. Was the actual data or was it just the table or just the db. I'm surprised of the few posts I have read no one has asked or made a statement about how it was encrypted. Their environment might have made it just as easy to see the CC info as the unencrypted personal data. Come on people wake up....

Sorry had to Rant alittle....I'm glad Sony is getting closer to getting PSN up...I had last weekend without the kids and I was going to do some gaming all weekend, until this "issue" came up. Talk about timing...

most likely this is not divulged because the average PSN user wouldn't understand so for most people just saying encrypted is enough to give them a warm fuzzy

I hate when some company spouts non-sense about encryption then it seems that everyone is fine with it. My question would be how was the cc data encryption, how many levels. Was the actual data or was it just the table or just the db. I'm surprised of the few posts I have read no one has asked or made a statement about how it was encrypted. Their environment might have made it just as easy to see the CC info as the unencrypted personal data. Come on people wake up....

Sorry had to Rant alittle....I'm glad Sony is getting closer to getting PSN up...I had last weekend without the kids and I was going to do some gaming all weekend, until this "issue" came up. Talk about timing...

most likely this is not divulged because the average PSN user wouldn't understand so for most people just saying encrypted is enough to give them a warm fuzzy

Why would they release information as to the nature of the encryption? To help the thieves who stole it get it decrypted faster?

This is why I buy the Playstation currency cards at my local Target. I thought it was a nice idea for two reasons. One, I am under the impression that Target gets a percentage of the value of the refill card and a small portion of that percentage is used to employ someone who lives in my city. Second I can control my spending or if my account is hacked the damage would be limited. I am kinda lazy with my PS password since I use a controller to key in the password and I don't like to enable "save my password". I always imagined someone who was personally upset at my online behavior would be the source of problems with my PS account not Sony itself.

...Its the golden rule the minimum amount of information required, held for the minimum amount of time, and accessible only to the minimum number of people to ensure the reason why the information was given by the user is fulfilled.

That's how it should be done. Unfortunately, it seems like most companies use "registration" as an excuse to harvest every possible bit of information from you that they can con you into giving.

My attitude is to assume that the company is incompetent and will lose control of my information. So I lie about absolutely everything I can get away with when filling out these forms.

Why would they release information as to the nature of the encryption? To help the thieves who stole it get it decrypted faster?

I agree that in this particular case, the last thing Sony needs to do is release information of their encryption algorithm. However, Sony had better have set up the encryption in a way so that in order to access it, part of the key is burned into the PS3/PSP/whatever. So even if the hackers knew the encryption algorithm, in order for the hackers to access that data they need to rob and mod the user's hardware to grab the key in order to get the CC information.

I have nothing in my house that's a Sony product, so I don't know a damned thing about PSN.

For those wondering how moving it all to another location with a different company could do anything to improve security without rearchitecting the setup...

You're both right and wrong. Like many things in life, there's more than one thing involved. I would be willing to bet that the new location has a harder firewall, more power and memory for the firewall, and probably some additional bandwith to hand the new firewall, since it's going to be doing things like sniffing packets and looking for hinky things, which slows down the pipeline going into the server array (IE: The user data for playing Call of Duty in a group).

Now, that won't do anything for their shoddy data practices, that will require some rearchitecture. However, it puts a new defense wall up in front of the shoddy data practices. You could equate it to having formerly had your data center protected by Kuffs Security Services, but now you've contracted out to a full bore mercenary group with landmines and AK-47's to do the security services. You still have the same shoddy data center, but it's much harder to get at it now.

Once they're back up and running, if they have brain cell one (which I am not willing to put money on) they will be working hard on redoing their base architecture on the data side and firming that up as well.

Why would they release information as to the nature of the encryption? To help the thieves who stole it get it decrypted faster?

I agree that in this particular case, the last thing Sony needs to do is release information of their encryption algorithm. However, Sony had better have set up the encryption in a way so that in order to access it, part of the key is burned into the PS3/PSP/whatever. So even if the hackers knew the encryption algorithm, in order for the hackers to access that data they need to rob and mod the user's hardware to grab the key in order to get the CC information.

I have nothing in my house that's a Sony product, so I don't know a damned thing about PSN.

I do have some Sony products in my house, and I don't know a damned thing about PSN either LOLIt just didn't make sense to me for Sony to give too much info beyond that the stuff was encrypted...

...Its the golden rule the minimum amount of information required, held for the minimum amount of time, and accessible only to the minimum number of people to ensure the reason why the information was given by the user is fulfilled.

That's how it should be done. Unfortunately, it seems like most companies use "registration" as an excuse to harvest every possible bit of information from you that they can con you into giving.

My attitude is to assume that the company is incompetent and will lose control of my information. So I lie about absolutely everything I can get away with when filling out these forms.

I don't have a PSN account, but how much info did you have to give them during account creation? (compared to what was optional.) I know that 70 million account details were taken, but I'm sure a bunch of them were duplicate/old accounts (don't you need a japanese account to get access to some demos earlier?) and a whole lot more probably only had the bare minimum amount of info. I don't mind giving out my name and date of birth (usually I just round it up to Jan 1st of the right year) but any other fields that aren't required get skipped over.

Why would they release information as to the nature of the encryption? To help the thieves who stole it get it decrypted faster?

I agree that in this particular case, the last thing Sony needs to do is release information of their encryption algorithm. ... /quote]

If someone suggests that "If we described the algorithm it would be more easily circumvented," run fast and far. That is the equivalent to saying "We are hiding the implementation, because as soon as anyone competent sees it, they will take all your money and run."

This is called security by obscurity. It does not work. For real-life examples see: Clipper WEP CSS AACS BD+ and too many snake-oil encryption schemes to mention.No closed algorithm is worthy of your trust. Demand disclosure. Accept no excuses.

I see a lot of posts (here and elsewhere) with people saying that they have not seen any unauthorized charges on their credit cards yet, as if they are waiting until that happens to take action. All one needs to do is call their bank/cc company, mention that their card was on file with Sony and you have been notified of a potential breach of that information, and ask that the card be canceled and a new one be issued. You will need to add the new card number to any auto-billing, but after that you don't need to worry about it. This is especially important if it is a debit/check card, and the money is debited from your checking/savings account.

If someone suggests that "If we described the algorithm it would be more easily circumvented," run fast and far. That is the equivalent to saying "We are hiding the implementation, because as soon as anyone competent sees it, they will take all your money and run."

This is called security by obscurity. It does not work. For real-life examples see: Clipper WEP CSS AACS BD+ and too many snake-oil encryption schemes to mention.No closed algorithm is worthy of your trust. Demand disclosure. Accept no excuses.

I know security by obscurity doesn't work (except MAYBE for hiding your SSH port), but they've already been compromised. At this point, taking ANY kind of measure to protect everyone's data, no matter how small of an impact it will make, will help.

On the potential inside job; I just want to throw out there that, from the April 22nd blog post on Sony's blog, they did mention it was an "external intrusion." If you take that on face value, it would appear that it was not an inside job. Anyway, just a thought.

As much as I hate Sony, we have to be fair on this. They've obviously learned more about what happened and most likely didn't know everything on the 22nd. So what they _thought_ was an external intrusion could easily have turned out to be an internal one after more investigation. It's also human nature to want to blame outsiders for attacks instead of insiders, so it's likely they would have started out assuming it was an external attack unless they had definite knowledge otherwise.

But I'm not so sure I believe everything in this post by Sony either, some of it really comes across as first class bullshit, so maybe it all is. I'm not so sure they really know what happened yet.

I see a lot of posts (here and elsewhere) with people saying that they have not seen any unauthorized charges on their credit cards yet, as if they are waiting until that happens to take action. All one needs to do is call their bank/cc company, mention that their card was on file with Sony and you have been notified of a potential breach of that information, and ask that the card be canceled and a new one be issued. You will need to add the new card number to any auto-billing, but after that you don't need to worry about it. This is especially important if it is a debit/check card, and the money is debited from your checking/savings account.

Agreed. As a precautionary measure, I've already contacted my CC company and reported my card lost or stolen. My new card and new number will be in the mail. It took 5 minutes max, and I was able to do it using an automated system.

I see a lot of posts (here and elsewhere) with people saying that they have not seen any unauthorized charges on their credit cards yet, as if they are waiting until that happens to take action. All one needs to do is call their bank/cc company, mention that their card was on file with Sony and you have been notified of a potential breach of that information, and ask that the card be canceled and a new one be issued. You will need to add the new card number to any auto-billing, but after that you don't need to worry about it. This is especially important if it is a debit/check card, and the money is debited from your checking/savings account.

Personally i'm waiting until I see signs of theft before reacting because in my case, it's alot easier to dispute charges then it is to have a new card issued. I have alot of automatic payments going through my credit card so a new card means going to each billing company and giving them new card info vs just disputing a charge on my credit card statement..

I see a lot of posts (here and elsewhere) with people saying that they have not seen any unauthorized charges on their credit cards yet, as if they are waiting until that happens to take action. All one needs to do is call their bank/cc company, mention that their card was on file with Sony and you have been notified of a potential breach of that information, and ask that the card be canceled and a new one be issued. You will need to add the new card number to any auto-billing, but after that you don't need to worry about it. This is especially important if it is a debit/check card, and the money is debited from your checking/savings account.

Personally i'm waiting until I see signs of theft before reacting because in my case, it's alot easier to dispute charges then it is to have a new card issued. I have alot of automatic payments going through my credit card so a new card means going to each billing company and giving them new card info vs just disputing a charge on my credit card statement..

Just keep in mind, that as soon as you report one fraudulent charge, the first thing they'll do is issue you a new card... Plus, you'll probably need to fill out some form and talk with the fraud dept, etc.

What is very interesting to me is the moving of their architecture to a new facility. Doing this for a large scale operation like PSN is not academic in the least. I've work projects with this scale that have taken 6 months to a year to plan.

For Sony to implement this kind of move (assuming it was not already planned) in such a short manner tells me they no longer have confidence in their current physical setup. Why/how this is the case has too many variables to guess at, but the cost/effort involved is must be enormous.

It seems a bit extreme to me to move an entire data center simply due to an external data breach, unless they no longer can protect the local infrastructure from attack. Even so, why not harden the failure points individually?

Guessing (and a totally wild one at that) is that security is no longer trusted at the current physical site. Be it employees, procedure, the site itsefl, whatever, but to me this is an extremely interesting development....

If someone suggests that "If we described the algorithm it would be more easily circumvented," run fast and far. That is the equivalent to saying "We are hiding the implementation, because as soon as anyone competent sees it, they will take all your money and run."

This is called security by obscurity. It does not work. For real-life examples see: Clipper WEP CSS AACS BD+ and too many snake-oil encryption schemes to mention.No closed algorithm is worthy of your trust. Demand disclosure. Accept no excuses.

I know security by obscurity doesn't work (except MAYBE for hiding your SSH port), but they've already been compromised. At this point, taking ANY kind of measure to protect everyone's data, no matter how small of an impact it will make, will help.

At this point the horse is long out of the barn. Any concealment now is just ass covering or the implicit admission that the procedural weaknesses that are being concealed will still remain when the system is brought up again some time in the indefinite future.